Regulation of Investigatory Powers Bill

Some Scenarios

The concerns addressed herein are mostly in relation to the provisions
of Part III of the Bill, which deals with lawful access to "protected information"
which has been encrypted. Each of the little stories which follows describes
some (possibly unintended, but nevertheless undesirable) feature of this
part of the Bill. A few scenarios, starting with scenario
22, address problems identified in Part I of the Bill.

The latest version of this present text may always be downloaded from
<http://www.cs.man.ac.uk/~chl/scenarios.html>.

See my Roadmap of Schedule 1 for the convoluted
arrangements that are proposed for issuing Notices under Section 46 of
the Bill.

Code of Practice

The Bill makes provision (S62, S63) for the Secretary of State to issue
(after proper consultation) Codes of Practice governing the exercise of
the powers and duties imposed on various people under the Bill. Those exercising
such powers shall "have regard to the provisions" of the codes (S63:(1)),
but are not liable to any criminal or civil proceedings for failing to
observe them (S63:(2)). The Home Office ministers have been promising every
month for many months that a draft code would be available "in a month's
time". Most recently, during the Report Stage in the House of Commons,
the Minister promised that the code would be "published while the Bill
is going through the House" (Hansard 8 May Col. 553) which (the Bill having
only a couple of hours to remain in that house) I take as meaning "while
it is still going through Parliament".

This matter assumes particular importance because the Minister, when
explaining why some particular matter is not covered in the Bill, has regularly
been saying that it would be covered by the Code of Practice (and claiming
much benefit in this approach insofar as the code would take full account
of consultations "with industry"). However, the absence of any draft code
makes it exceedingly hard to discern the effect of certain parts of the
Bill, and it should moreover be born in mind how relatively easy it will
be for the Secretary of State to change the code as time goes by, even
though an affirmative resolution of both Houses will be needed for any
such change.

Dramatis personae

It is traditional, amongst cryptographers, to give names, starting with
different letters of the alphabet, to the persons taking part in their
scenarios.

Alice

A person who sends and receives
encrypted messages, and is entirely innocent of all criminal intent.

Bob

A person who sends and receives encrypted messages, and not an innocent
party in some of the scenarios.

Chase

A large international banking corporation.

Dodge

A British manufacturing company.

Eve

An eavesdropper, who intercepts communications (legally or otherwise)
and would wish to decrypt them.

Frites

A French manufacturing company.

Grundy

A malicious person who harasses Alice, with the intent of getting her
sent to prison.

Hazard

An officer of the Health and Safety Executive.

Isaac

An Internet Service Provider (ISP)

Justin

A lawyer

Plod

A police officer (or, as the case may be, a customs officer, or a member
of the intelligence services).

Introductory

Scenario 1 - public-key
cryptography explained

Alice and Bob each have two "key pairs", one for "signature", and one
for "encryption". Each key pair is composed of two keys, a "Public Key"
(which everyone in the world can know) and a "Private Key", which must
be a secret known only to its owner (Alice or Bob, as the case may be).

When Bob sends a message to Alice

Bob signs it with his Private Signature Key (which only he knows).

Bob then encrypts the message with Alice's Public Encryption Key (which
everybody knows).

Alice decrypts the message with her Private Encryption Key (which only
she knows).

Alice checks the message with Bob's Public Signature Key (which everybody
knows) and thus she can be sure that the message came from Bob, and that
it has not been tampered with.

Thus Eve is unable to decrypt the message (she does not have Alice's Private
Encryption Key). In fact, even Bob cannot decrypt his own message.
It is like putting the message in a self-locking box. Anybody can close
the box, but only the person with the key can open it.

And so Plod, even when it is Bob's criminal activities that he is investigating,
has to serve his Section 46 Notice on the innocent Alice in order to find
out what is in the message. Moreover, if Plod obtains Alice's Private Key
as a result of his notice, he is thereby enabled to decrypt all communications
received by Alice, from whomsoever they may come, and indefinitely far
into the future. Which is why the Bill gives Alice the option to decrypt
the message upon Plod's request, rather than handing over her cherished
Private Key. Except that the Bill gives that option grudgingly,
with the possibility of insisting on the key in "special"
circumstances.

Note that if Plod were able to demand Bob's Private Signature Key, then
he would be in a position to impersonate Bob. Which is why announced Government
Policy and the relevant E.C. Directives, and the wording
of the Bill all make it absolutely clear that Plod is not able to
demand Signature Keys. Except that the wording of the Bill
does not actually prevent such demands (of which, again, more anon).

Scenario 2 - symmetric
keys and session keys

In addition to Public/Private key pairs, it is also possible to use "symmetric"
keys for encryption (with a symmetric key, both parties have to be in possession
of the same key, which maybe they agreed to share at some clandestine meeting).
The Bill also covers the use of symmetric keys, of course.

However, it turns out that clandestine meetings are not really necessary.
Bob can easily send Alice a symmetric key using Alice's Public Encryption
Key. In fact, for technical reasons, this is absolutely standard practice.
The symmetric key is then known as a "session key" and it is typically
used for just one communication, and then discarded. Liken the session
key to a key that will open just one door, whereas the Public Encryption
Key is the Master Key that will open any door in the Hotel. The government
claims that disclosure of a session key is always sufficient to satisfy
the requirements of the Bill. We shall see.

Symmetric keys (usually in the form of a cryptographic hash of some
"passphrase") are also likely to be used for protecting data stored on
a hard disc. The Bill also makes provision for disclosure of keys in this
case.

It also turns out that it is possible for Alice and Bob to agree on
a symmetric key without ever meeting at all, and in full view of Eve, so
that neither Eve, nor Plod, nor any provision of this Bill will ever be
able to decrypt their communications. Indeed, it is always wise to remember
that a sufficiently well-informed criminal can always circumvent any provision
of Part III of this Bill.

The Form of Notices

Scenario 3 - was it delivered?

Plod serves a Section 46 Notice on Alice. If the notice is given in writing,
it should be possible to prove that it was delivered (as is ordinarily
the case when Writs and Summonses are served). If, however, Plod serves
the notice by electronic means (S46:(4)(a)), even if he can prove that
the notice was sent, as required by the Bill, that is no proof that Alice
received it. The Bill does not require such proof.

The same problem arises in S22:(1)(a) and S22:(2)(a) in connection
with authorizations and notices regarding access to communications
data. With a little bit of luck, there will be some standard procedures
set out in the Code of Practice to cover this. See also amendment
C46(4)(a).

Scenario 4 - was it genuine?

Grundy sends a spoofed Section 46 Notice to Alice, by email (or even by
snail mail), purporting to come from Plod. How is Alice supposed to know
(she is liable to two year's imprisonment if she guesses wrongly)?

Was the notice in the proper form? The Bill provides no proper form
(it is in such format as the issuer "thinks fit"). But wait! With a little
bit of luck, the Code of Practice will specify a standard format.

Who issued it? Well the office, rank or position of the issuer must
appear on it (no mention of the name, but I suppose that may be taken for
granted), so Alice will be able to check. But she won't be able to check
whether the issuer was authorised to issue it, because it will not identify
the person (Schedule 1) who gave permission for it to be issued (recall
that the issuing of a Section 46 notice is a two-stage process).

Notices sent by electronic means need to be digitally signed, which
means that Plod must previously have provided Alice, in writing,
with his Public Signature Key. This would only be useful if Plod expected
to serve notices on Alice frequently. The Home Office have stated that
matters such as these will be covered in the Code of Practice. Verbal notices
should have been outlawed entirely (see amendment
C46(4)(a)).

Scenario 5 - when does
the notice expire?

Plod has served a Section 46 Notice on Alice regarding encrypted communications
received from Bob (it was one of those notices issued regarding protected
information "likely to" come into Plod's possession (S46:(1))), and has
on several occasions required her to decrypt such messages. Now, three
years later, he suddenly brings her another one.

Anyway, it seems you are in a new investigation now. Shouldn't you
have withdrawn the notice when the previous investigation was complete?
I see that interception warrants and data communications notices are supposed
to be withdrawn when their purposes have been accomplished (S9:(3), S22:(8))

Plod

But not Section 46 notices.

Notices should contain an expiry date, or should otherwise expire (or
be renewable) at the same time as the warrant which gave permission for
the notice. Otherwise there will be no time limit on those notices which
identify information "likely to" come into the possession of the authorities
(S46(1)), which could cover a period of several months. The Minister claimed
in Committee that this was already covered (Hansard Standing Committee
F, 4th April, 12.15pm), but the Bill nowhere says so. See amendments C46(4)(
) and C46(4a).

Concern has also been raised
that this lack of a duration of the notice may violate the ECHR.

Scenario 6 - who does
the key have to be given to?

Plod serves a Section 46 Notice on Alice which requires her to deliver
her key to the cleaning lady at the Police Station (S46:(5)(b)). We assume,
for the sake of argument, that said cleaning lady is covered by the safeguards
referred to in S51:(2).

The key should only be deliverable to the class of persons capable
of having permission to issue notices, as in Schedule 1:2. There
is suitable wording for this in S22:(3), which covers similar notices regarding
communications data. The Minister promised in Committee to look into this
further (Hansard Standing Committee F, 4th April, 12 noon) but nothing
further has been heard of it. See amendment
C46(5).

Scenario 7 - how soon?

Plod serves a Section 46 Notice on Alice which requires her to disclose
her key within 5 minutes (S46:(4)(c), which makes no requirement for the
time to be reasonable). It is quite impossible for Alice to comply (these
things take time). But her only recourse is to refuse to comply, wait till
she comes to trial, and then advance the defence provided under S49:(3)(a).

It would be far simpler to insert the word "reasonable" at the proper
place in S46:(4)(c) (see amendment
C46(4)(f)). The government rejected an amendment to that effect
at the Committee stage, citing S49:(3)(a) as being sufficient.

Scenario 8 - which key?

The one for the protected information (S52:(1)) which I have described
in the notice.

Alice

I believe that particular protected information can be decrypted with
one of several keys.

Plod

The one I want is the Private Key that decrypts it, key 0x1C24FA3C
I believe.

Alice

No, that key is my main Private Encryption Key. If I give you that
one, you will be able to decode all messages sent to me, whether connected
with your present investigations or not.

Plod

But I wouldn't do that. Section 51 of the Act says I mustn't!

FX

(sounds of raucous laughter from all present)

Alice

I prefer to give you the "session key" for the particular communication
you are holding.

Plod

Eh?

Alice

Yes. The protected information in the communication was encrypted with
a one-use-only "session key", and the session key was encrypted with my
key 0x1C24FA3C which you mentioned. That is absolutely standard practice,
you know. I will give you the session key for that particular communication
and you will be able to decrypt it. I will have satisfied my obligation
under the Act, and the rest of my communications will not have been compromised.

Plod

But the Act does not mention any of that fancy stuff. It just says
that if there is protected information and a key that will decrypt it,
then that is the key I am entitled to get. It says "the key" (S46:(2)(b)),
and that is obviously the principal one. If the Act had intended me to
get bogged down with all the internal workings of your decryption program,
it would have said so. Everybody knows that you have a Private Key, that
you give it to your program along with the protected information, and out
comes the plaintext. So "the key" is the one you give to your program
to do the decryption. That is the obvious meaning of the Act, and
where there is an "obvious" meaning, that is the one a Court would follow.

Alice

Well I invite you to read the definition of "key" in the Act (S52:(1)).
It says that a "key" is "any key, code, password, etc." that will
do the decryption, so my session key is certainly one of the possibilities.

Plod

Maybe so. Perhaps the Act could be interpreted that way, but it does
not look like the obvious meaning, so I doubt a Court would interpret it
that way.

Alice

But when the Bill was going through Parliament, the Minister of State
at the Home Office said, during the Committee Stage, "If there is more
than one [key] that enables protected data to be put into an intelligible
form, it is up to those who are disclosing to decide which key to use."
(Hansard Standing Committee F, 4th April, 4.30 pm), and he justified this
by reference to that definition of "key".

Plod

So? Ministers don't make the law. The Court will look at the Act, and
what the Act says is what the Act means, and if it turns out to be ambiguous,
the Court will resolve it in the obvious way.

Alice

Actually, No! According to the doctrine in Pepper vs Hart, where there
is any doubt of that sort, the Court will be bound to follow the intention
as expressed by a Minister in Parliament.

Phew! Alice is perfectly correct, as it happens. But Plod still has
one straw left to clutch at:

Plod

Ah! But you said that your "session key" was encrypted with your Private
Key. So that makes the session key protected information. And in that case
I am entitled to ask you for the key that decrypts it (i.e. your Private
Key). Observe that this notice is a "special circumstances" notice (S47:(4)(a)),
which means that I can have the actual key, not just the plaintext.

Alice

Yes, you would indeed be entitled to ask for my Private Key as you
say, but for one thing. I have just offered to give you the session key,
so you can hardly say you believe that the Private Key is "necessary" under
S46:(2)(b)(i), or that it fulfils S46(2)(d). Moreover, you can be certain
that the session key I am giving you is the correct one because you will
see that you are able to decrypt the body of the protected information
with it.

Alice had to follow a tortuous route to establish her point. It could
even be argued that the Bill is in contravention of the ECHR at this point,
because the right it gives to the noticee could hardly be described as
"foreseeable". Indeed, many lawyers who have studied the Bill have failed
to notice what the Minister has now established as the correct interpretation.

And it is still not entirely certain that Alice's response to Plod's
final ploy would stand up in Court, and I have therefore prepared an amendment
C46(2)c to cover it.

It is vital that the Bill should give Alice the right to deliver
a session key, where one is available and will satisfy Plod's need to decrypt
the protected information, and it is vital that the availability of this
right should be widely known, as the next scenario
shows. See amendments C46(2)a, C47(2)a
and C47( ).

The Plaintext Alternative

The bill provides that, as an alternative to disclosing the key, it
will suffice for the noticee to decrypt the protected information (or provide
access to it, as the case may be), except where the notice directs that
the actual key is required, which it may only do if there are "special
circumstances of the case" (S47:(4)(a)).

It is hard to envisage what those special circumstances might be,
and the Government has consistently failed to give examples of how it is
intended to be used, in spite of being repeatedly so asked. The most we
have heard is that the power might be used where the noticee was not to
be trusted (and, indeed, production of a session key could reasonably be
required in that case). Also, it might be used where there were time constraints
(but it takes no longer to provide plaintext than it does to provide a
session key, and we are told that session keys will always suffice). And
it might be used in cases involving "security", whatever that might mean
(Hansard Standing Committee F, 4th April, 4.30 pm).

But, with a little bit of luck, the Code of Practice will set out
in full what those "special circumstances" might be.

Scenario 9 - is our Private Key safe?

Justin is a lawyer who is advising Chase concerning the R.I.P. Bill. He
has read the Bill carefully (but he has not read Hansard - why should he?).
So he has not spotted the possibility that disclosure of session keys would
always suffice (see scenario
8), which is not surprising in view of the fact that I know of several
lawyers who failed to spot this "feature" of the Bill. Justin is discussing
with a senior manager of Chase.

Chase

We have a widely known Public
Encryption Key which is used by our clients worldwide when sending us instructions
to make substantial transfers of money. We have elaborate procedures in
place to protect the corresponding Private Key. Our reputation as a trustworthy
international banker would be ruined if that Private Key should be compromised
- even a rumour to that effect would be disastrous. Is there any possibility
under this Bill that we could be required to disclose this key to some
agency of the British Government?

Justin

The Bill makes provision for you to disclose the plaintext of any communication
instead of disclosing the key. I think they would expect you to provide
a very rapid turnaround when they sent you a request for the plaintext
to a given message, though.

Chase

No problem there. Assuming the request was lawfully authorised, we
should be happy to decrypt it and send it back within seconds, if needs
be. But if plaintext is what they want, why does the Bill speak all the
time about disclosing keys?

Justin

They are alternatives. The government has stated that it expects plaintext
rather than keys to be handed over in the overwhelming majority of cases,
especially in the case of respectable businesses such as yourselves.

Chase

So we would get to choose which to hand over then?

Justin

Yes. ... Well almost. ... Actually, if there were "special circumstances
of the case" such that the whole purpose of their investigation would be
defeated without the actual key, then they can insist on the key. But I
cannot see that happening in practice.

Chase

But there is a theoretical possibility that it could?

Justin

Yes.

Chase

Even a theoretical possibility is exceedingly worrying to us. If we
give them our Private Key, will they keep it secure. Keeping a key secure
costs serious amounts of money you know.

Justin

Yes. Various government agencies have considerable expertise in that
area.

Chase

And the Bill requires them to take all necessary steps in that regard?

Justin

Er. ... No.

Chase

Another theoretical possibility to worry about then. Now suppose it
becomes publicly known that an agency of the British Government has our
Private Key. What then?

Justin

The British Civil Service is the most trustworthy such service in the
world. They would never allow such a leak to occur.

Chase

What never?

Justin

Well hardly ever!

Chase

Well the stories I hear are that such leaks do occasionally occur.
Stories get posted on the Internet, and then the British Security Services
run around like scalded cats trying to shut down the offending websites,
with the immediate consequence that the story pops up on hundreds of other
sites around the world, amidst a huge blaze of publicity in the media.

Justin

But even if the information does leak, remember that the Bill forbids
the agency from using your key to decrypt anything unconnected with the
particular investigation, so the security of the communications of your
other clients is not affected.

Chase

Yes. You know that, and maybe even I know that. But try explaining
that to our clients in Ankara, or in Moscow, or in Jakarta. Not only would
they not believe it, they would think we were crazy for even contemplating
such a dumb thing. And in our business, having clients that think you are
crazy is not a good thing - such clients tend to take their business
elsewhere.

Moving on, then, suppose we just plain refused to hand over our key.
What then?

Justin

Your Company would be liable to an unspecified fine, but you personally,
as a manager would be in the clear (S69:(1)). But there is a problem. That
would apply if they served the notice on the Company. But they might decide
to serve it on your computer administrator Bob, and the notice might require
him to keep it secret (S50), even from you (though, with a little bit of
luck, the Code of Practice might allow you to be told). So Bob would have
to disclose your key, and the Company would not even be aware that it had
happened.

Chase

That's all right. I shall just instruct Bob never to disclose the key
in such circumstances.

Justin

No, that won't work because Bob, not being a "director, manager, secretary
or similar" of the Company is not protected by S69:(1). He could go to
prison for 2 years.

Chase

Then we shall arrange for our important keys to be kept in a tamper
proof iron box, so that it is impossible for even even Bob to get them
out of it. In fact nobody, but nobody will be able to get them out. For
backup, we shall have arranged to split each key into, say, 8 parts so
that at least 6 are needed to put the key together again, and we shall
give each part to a different person, with enough of them being based outside
the United Kingdom.

Justin

No, that won't work either, because they will just require you to order
each of those key keepers to send his piece in to you (according to S52:(2)
you are considered to be in possession of the key yourself if one of your
underlings has it). It might just work if the person abroad is a senior
manager of the Company who is not answerable to you. But then, if there
were reciprocal arrangements in force, they would just go after him in
his own country.

Chase

So, to summarize, we are quite OK except in the unlikely but theoretically
possible event that they demand our actual key, or in the unlikely but
theoretically possible event that our key gets stolen from their possession,
or in the unlikely but theoretically possible event that the fact that
they hold our key becomes publicly known, or if we are unlucky and this
Code of Practice, which has not been published yet, allows the key to be
taken without our knowledge?

Justin

Yes, that about sums it up.

Chase

But do you realise what would be the consequences to our Company if
one of those unlikely but theoretically possible events were actually to
occur? We are a Company who are absolutely dependent upon the trust and
confidence in us of our clients worldwide. Loss of that confidence, if
it could even be expressed in financial terms, might amount to £100,000,000.
Even if we were immediately to revoke our key, and generate a new one,
and inform all are clients to use it, that would still cost a lot of money,
and the loss of confidence would be almost as bad.

No! We, as a Company, cannot afford to take that risk, however slight
it might be. So what can we do?

Justin

My advice would be to relocate the centre of your operations to Dublin.

Sigh! If only Justin had known what Alice knew in the previous
scenario. But the significance of session keys as a complete solution
to all the problems above seems to have been completely overlooked, not
least by the government. Everybody involved in this business (government
included) has been talking and behaving as if loss of Private Keys were
a real possibility. Real-life lawyers have already been giving the same
advice as Justin. And why should this be so? Because the government has
failed to point out the true situation, not least by drafting the Bill
in such a way as to suggest the exact opposite of what it actually says.

I believe the Prime Minister has said he wants Britain to be the
best country in which to carry on electronic business. The Bill, if interpreted
as above, would make it one of the worst.

Signature-only keys

The Bill purports to ensure (S46:(6)(a)) that a person can never be
compelled to disclose his Private Signature Key. Nevertheless, there are
circumstances where a person could be so compelled, as the following scenarios
show. Moreover, it needs to be realized that it is technically impossible
to prevent a genuine signature-only key from being used for encryption
(depending on the cryptographic system employed, this can range from trivially
easy through to difficult-but-by-no-means-impossible).

Scenario 10 - protection
of Private Keys

Alice keeps a Private Signature(-only) Key which is stored in her computer.
To prevent improper use of it, it is encrypted with a password (more likely
a lengthy "passphrase") which she keeps in her head, and which she has
to type in every time she signs a document.

Evidently, the encrypted key is "protected information" (by S52:(1),(4)).
Hence, if it comes into the possession of Plod (by seizure of Alice's computer,
for example) Plod may, by notice (S46:(1)(a)), demand Alice's passphrase,
notwithstanding he would then hold Alice's signature-only key. Observe
that Plod is not in breach of S46:(6)(a). He is not asking
for Alice's signature-only key (which he is prohibited from doing). He
is asking for her passphrase, which itself is undoubtedly an encryption
key.

The Home Office take the view that a Court would regard S46:(6)(a)
as prohibiting such indirect access to the signature-only key, but I regard
this as being optimistic given the clear chain of reasoning exhibited above.
Therefore the possibility should be explicitly prohibited (amendment
C46(6)b).

Scenario 11 - authority
to access Private Encryption Keys

Chase accepts electronic cheques encrypted with its Public (and widely
known) funds transfer Encryption Key. The corresponding Private Key is
kept inside a tamper-proof iron box, and the computer inside that box is
the only point at which actual decryption of cheques is possible. The compromise
or disclosure of the key would have dire consequences for Chase, as has
already been described.

The box will decrypt cheques upon receipt of an authorizing token digitally
signed by one of Chase's transaction processing computers, which itself
will only issue such tokens under the circumstances programmed into it,
which will include the presence of some further token digitally signed
by Bob (who is an official in the company), doubtless in conjunction with
a further token digitally signed by several members of the Board of Directors
authorizing Bob to exercise that authority.

Thus Bob can use his Private Signature Key (which he uses to sign all
sorts of other documents within the company) to create tokens which grant
access to the decryption engine inside the iron box. Thus, the present
definition of "key" in S52:(1) would appear to cover

The Private Key in the iron box

The various tokens recognized by the iron box

Bob's Private Signature Key

since any one of those can be used, directly or indirectly, to cause the
decryption of electronic cheques. Thus Bob's Private Signature Key is,
according to different definitions in the Bill, both a decryption key
and a signature key (even though the technical manner of its use is always
to sign things - in this case tokens).

For the removal of all doubt, the definition of electronic signature
(S52:(1)) should be strengthened to cover such situations. See amendments
C52(1)a)
and C52(1)(b).

Scenario 12 - signature
keys previously used for encryption

Alice has a key generated long before the Bill was passed which could be
used for both signature and encryption (that was the standard practice
in those days). She regularly uses it for signatures, and would be greatly
inconvenienced if forced to generate a new signature-only one - for the
greatest assurance that her publicly known key indeed belongs to her is
the fact that she has consistently been using it these many years.

She last used it for decrypting a message 5 years ago. Nevertheless,
that is enough to give Plod the right to force her to disclose it (S46:(6)(b)).
But why should Plod do such a thing? Suppose Grundy, with malicious intent,
sends Alice a message encrypted with the corresponding Public Key (or worse,
if it really was a signature-only key, manipulates it so as to be used
for encryption - not a difficult feat, technically speaking, with most
systems). Of course, he ensures that Plod becomes aware of the fact, together
with other suitably incriminating "evidence", and Plod decides to issue
a Section 46 Notice. Alice is required to comply (and the fact that she
never even decrypted Grundy's message is irrelevant).

S46:(6)(b) should merely require that the signature key had not been
used for encryption within some timescale relevant to the matters that
are under investigation (amendment C46(6)a).

Scenario 13 - information in obscure formats

Plod has intercepted (or obtained from a seized computer) a document in
an obscure format that he does not recognise, though he has no grounds
for believing that it is encrypted. He serves a Section 46 notice on Alice.

Plod

This document is in an unintelligible format, therefore it is protected
information (S52:(1)). Give me the key to it.

Alice

Eh? That document is not encrypted. It is just just a textual document
written in Microsoft Word, and the only key needed to understand it is
the Microsoft Word program, which you can buy for yourself for a modest
consideration from any computer store. You had no business using the RIP
Act in this situation - there are powers in PACE that are appropriate in
these cases.

Plod

Maybe so. But the wording of the Act evidently covers this case, and
so I chose to use it.

Indeed Plod is using an inappropriate sledgehammer to crack this
nut, but the present definition of "key" in S52:(1) is on his side. It
should be reworded to require that a key, as used for encryption purposes,
should be accompanied by an intent to conceal (amendment
C52(1)c).

The Offence of failure to comply

Scenario 14 - lost
or disused keys

Alice now has separate signature and encryption keys. In order to ensure
the absolute secrecy of her (perfectly lawful) communications, she regularly
generates a fresh Public/Private Encryption Key Pair every six months,
and requests all her correspondents henceforth to use the new one. To allow
a suitable overlap period, she keeps the old Private Key around for a further
six months, after which she destroys it (perhaps having issued a publicly
visible revocation certificate first). Observe that such a procedure is
considered standard best practice.

Now Grundy sends her a message using her Public Key from 5 years ago
(and provides Plod with incriminating "evidence" as before). Plod serves
a Section 46 Notice, and when she fails to comply (she cannot, even though
she is otherwise perfectly willing) she is prosecuted under S49, on the
grounds that she "has or has had possession" of that key.

The prosecution has to show

That Grundy's message had come into Plod's possession (under some part
of S46:(1)).

That Plod believed, on reasonable grounds (S46:(2)(a)), that Alice possessed
the key to decrypt it (the fact that Grundy had sent it to Alice would
appear to be reasonable enough grounds for that).

That serving a notice was necessary and proportionate (S46:(2)(b,c,d) (we
assume Grundy's "evidence" was good enough for that).

That Plod had served the notice.

That Alice had not complied (S49:(1)(a)).

That Alice had had the key (S49:(1)(b)), which indeed she had.

And that is all the prosecution has to show (S49:(1)). Prima facie, Alice
is guilty.

In her defence, Alice is invited to show (S49:(2)(a)) that the key was
not in her possession at the relevant time. But how can anyone ever prove
that he does not possess something, especially something as intangible
as a key? It is impossible, so Alice gets sent to prison for 2 years.

This situation is grossly unjust. The onus of proof has been reversed,
contrary to the European Convention on Human Rights (and notwithstanding
the Secretary of State's statement in that regard on the front of the Bill).
Indeed FIPR have obtained Counsel's
Opinion to the effect that this provision is in breach of the ECHR,
whereas the government have blandly stated that the advice they have received
is to the contrary, whilst nevertheless refusing, on several occasions,
to disclose that advice or to cite cases or precedents in support of their
view.

Note that the words "has or has had possession" (S49:(1)(b)) were
added to the Bill in order to overcome objections that it contravened the
ECHR. In fact, those words have made the situation worse.

This issue has been widely debated, usually with more heat than light.
People speak in terms of "well everybody forgets their password from time
to time" (one ex-minister even admitted that he relied on his wife to remember
his). The fact is that it is the deliberate destruction of keys, as described
above, that is the more likely cause of these difficulties. For a business
that keeps careful records of what keys it has had and when they were destroyed
there may be little problem, but that is of no comfort to a private individual
such as Alice.

The Liberal Democrats introduced an amendment whose effect would
be to require an "intent to impede access to protected information", and
to ensure that there was no offence if, at the time of giving the notice,
the accused did not have the key, and did not have any means of recovering
it. The Conservatives proposed a different version of the same thing (see
below). The government, however, flatly refused any concession at all in
this matter.

The very least that is required is some time limit on that "had possession"
phrase (amendment C49(1)).

Scenario 15 - deliberate refusal to comply

Bob is a paedophile who keeps "naughty" pictures on his computer. But he
has them encrypted. Plod seizes the computer under a Magistrate's search
warrant, and serves a Section 46 notice on Bob to disclose the key, or
to decrypt the pictures.

Now Bob knows that the evidence of the pictures, once decrypted, would
be sufficient to earn him 10 years in jail (and let us assume that there
is insufficient evidence to convict him otherwise). He also knows that
the maximum penalty for failure to provide the key (or, equivalently, the
plaintext) is a mere 2 years. Therefore he refuses to comply, hence at
least avoiding the larger penalty.

The Conservatives have made great play with this scenario, and proposed
an amendment to the Bill which went beyond that put forward by the Liberal
Democrats by increasing the penalty for non compliance to 10 years, and
allowing evidence of previous convictions to be adduced in support of a
prosecution. The government has resisted this (whilst promising to review
the sentence in the light of actual experience). Moreover, the idea of
allowing previous convictions to be disclosed is repugnant to many, including
myself, though apparently there are a few precedents in other legislation.

Tipping Off

Scenario 16 - excessive
secrecy

Bob (a suspected criminal) communicates with (innocent) Alice (possibly
at at her place of work and using her employer's Public Key). Plod serves
a Section 46 Notice on Alice requiring her to provide keys or to decrypt
the communications. The notice requires Alice not to disclose the existence
of the notice, or of the actions taken pursuant to it, to anyone else (S50).

She may not tell Bob (naturally, that is the whole purpose of the exercise).

She may not tell her other correspondents (whose messages Plod is now able
to decrypt, whether or not that would be lawful).

She may not tell her Boss (even though his whole business is now at the
mercy of Plod).

She may not tell her Boss even if he asks her directly, and if she is sacked
for refusing to answer, then that is tough.

She may not tell her colleague, whose technical assistance she requires
in order to comply, and whom the Bill may elsewhere require her to consult
(S52:(2)). But if she asks nicely, Plod may give her a dispensation to
consult him (S50:(8)).

She may not tell a court of law, when giving evidence, even though not
to tell it might amount to perjury. Nor may she explain to the court why
she is unable to answer the question.

She may not tell her psychiatrist, even though she is having nightmares
on account of the stress she has been put under.

It has been doubted whether she may even publicly revoke her key (for that
might send a covert message to Bob). However, the Home Office have now
agreed that this would not be an offence (see Scenario
17).

The Bill makes NO exceptions for any of these circumstances. The only exceptions
it allows are

She may tell her lawyer, but only when asking him to explain this part
of the Act to her (S50:(5)), and then only if it does not further any criminal
purpose (S50:(7)).

Her lawyer (but not, apparently, Alice, unless she is a lawyer) may tell,
but only in connection with legal proceedings (S50:(6)), and then only
if it does not further any criminal purpose (S50:(7)).

That the disclosure was made by some automatic operation of her computer
(S50:(4)(a), but only if she was unable to act quickly enough to stop it
(S50:(4)(b)).

Note that the many of problems illustrated above could have been avoided
if Alice had been aware that a session key would have been sufficient to
satisfy Plod (do not confuse this Alice with the Alice in a previous scenario).

Many of the problems here, however, arise from the requirement that
the secret must be kept from everybody, whereas it would have sufficed
for the Bill to require the notice to say that the secret was to be kept
from some named person, or some named class of persons (with a proviso
that anyone else informed of the matter was also to be informed of that
requirement of the notice). It is a simple matter of "opt-in" as opposed
to "opt-out". See amendment C50(1,3,4).

Moreover, the notice ought to specify some time beyond which (subject
to renewal of the notice) the secret need not be kept (such time being
normally related to the duration of any warrant which contained permission
for the notice to be issued).

It should also be noted that a similar problem arises in S18 in regard
to interception warrants.

Scenario 17 - indirect disclosure

The Home Office has agreed that, where a Private Key has been disclosed,
it is in order for the key owner to publish a public revocation of the
key without committing an offence, even though that might drop a strong
hint that it had been subject to an order. It is not clear how this can
be deduced from the Bill, but it does suggest an intention that "to keep
secret the giving of the notice ..." (S50:(1)) is to be interpreted literally.

Alice has disclosed the company's Private Key, but has been instructed
to keep the fact secret - even from her Boss. She speaks to her boss.

Alice

I think we should revoke our Public Key.

Boss

Why ever would we want to do that?

Alice

I couldn't possibly say.

Boss

Ah! I see! Have you been served with one of those Section 46 notices
then?

Alice

I couldn't possibly say.

Has Alice committed an offence? The secret is clearly out, but Alice
has not actually said anything wrong.

The Home Office have now agreed that Alice is not guilty here, but
their view is still not consistent with the wording in the Bill.. See amendment
C50(4).

Scenario 18 - a weepie

Bob is a paedophile who has been abusing Alice (who is only 12 years old).
He has equipped Alice with encryption software and a Public/Private Key
Pair "so that we may keep our little secret". Plod obtains the key
from Alice, but instructs here not to tell anyone (because Bob has been
abusing other children, which Plod is continuing to investigate).

Alice cannot even tell her mother.

Circumstances allowing the issue of Notices

Scenario 19 - economic
well-being of the U.K.

Dodge is a U.K. arms manufacturer, negotiating to supply arms to a Sheikh
in the Middle East. Frites is a French competitor, after the same business.
Frites has an agent Bob, who manages its UK office. Dodge would dearly
like to know the size of the Frites tender.

So Dodge approaches H.M.Government for assistance. Arrangements are
made to intercept communications between Frites and Bob, perhaps by the
interception of satellite transmissions. This may require an interception
warrant (S5:(1)), but ensuring that Dodge gets the contract surely counts
as "safeguarding the economic well-being of the United Kingdom" (S5:(3)(c))
and the information sought clearly "relates to acts or intentions of persons
outside the British Islands" (S5:(5)). A notice to disclose the decryption
key is served on Bob; surely this too is "in the interests of the economic
well-being of the United Kingdom" (S46:(3)(c)).

Can the notice also forbid Bob from tipping off Frites? Yes indeed,
provided only that the police or the intelligence services were involved
in the interception (S50:(2)(a) and that the "investigating techniques"
needed to be kept secret (S50:(2)) (that is why they took the trouble to
intercept satellite transmissions, because simply keeping the information
secret from Frites is not itself grounds for requiring secrecy under S50).

But Hey! This is not Cricket!

But this ground of the "economic well-being of the U.K." arises in
several places in the Bill (S5:(3)(c), S21:(2)(c), S27:(3)(c), S28:(3)(c),
S30:(3)(c), S46:(3)(c)), sometimes with a restriction to matters outside
the British Islands, sometimes not. What is the purpose of these provisions,
if not for the kind of scenario described? It would seem so, from the rather
half-hearted comments made by the opposition during the various debates.
But if Parliament wishes to give the authorities those powers, then at
least the restriction regarding matters outside the British Islands ought
to be applied consistently, and certainly in connection with Section 46
Notices (amendment C46(5a)).

Scenario 20 - fishing

Hazard pays a routine visit to Dodge (as authorized by statute) to inspect
Dodge's plant. He asks to see the records of some calibration on the plant
from 12 months ago. He is told that the records are stored on Bob's computer
(they may even be encrypted) and that Bob is on holiday in the Outer Hebrides
for two weeks. Hazard is exceeding wroth, and rushes off to a Judge to
get permission to serve a Section 46 Notice on Bob (and flies off to Benbecula
to serve it).

Now Hazard is not investigating any crime, nor has he reason to suppose
(at this stage) that the data on Bob's computer might reveal any crime
(this started out as a routine visit). In plain terms, he is "fishing".
Therefore, he cannot claim (S46:(2)(b)(i)) that his key is "necessary"
for "preventing or detecting crime" (S46:(3)(b) or for any other purpose
in S46:(3)). Therefore he has to rely on S46:(2)(b)(ii), namely that obtaining
the key is "likely to be of value" in the performance of his statutory
duty.

S46:(2)(b)(ii) is a "fisher's" charter. There is no requirement so
weak anywhere else in the bill (cf S21:(2) and S5:(3)). The requirements
in S46:(3) provide quite adequate grounds for when Section 46 notices may
be issued and are, by and large, the same as those recognized as necessary
in the case of interception warrants. Attempts were made to remove this
provision at the Committee stage, but were not pursued further. See amendment
C46(2)b.

However, the counsel's
opinion already alluded to identifies this particular provision as
being a further violation of the ECHR, on grounds of its general vagueness
when set against the interference with an individual's private life which
it seeks to permit.

Scenario 21 - source
of protected information

Hazard comes into possession of encrypted data in the course of some inspection
or search, as authorized under some statute (S46:(1)(a)). He may then obtain
permission (Schedule 1:1:(1) or Schedule 1:2:(2)) to issue a Section 46
Notice.

However, if the encrypted data was brought to him (perfectly legally)
by a member of the public (a "whistleblower"), he may not obtain such permission,
because he is not a police officer (S46:(1)(e)).

This anomaly should be removed.

Interception

I have not been studying Part I of the Bill with the thoroughness of
Part III. The remaining scenarios should therefore be regarded as just
a sample of the possible problems in that Part.

Scenario 22 - Public, Private and Other systems

The Bill defines the following terms regarding telecommunications (S2:(1)):

Telecommunication system

Telecommunications service

Public telecommunications service

Public telecommunication system (must be offered to a substantial
section of the UK public)

Private telecommunication system (must be attached, at a
point in the UK, to a public telecommunication system)

Closed telecommunication system (not officially defined,
but I shall use it for telecommunication systems which are neither public
nor private)

It is unlawful to intercept communications on a Public telecommunication
system or on a
Private telecommunication system unless you have a warrant or, for
a private system, you are its operator (well, there is a bit more to it
than that). The other difference between a Public and a Private system
is that it is not unlawful to intercept a Private transit system (sender
and recipient both outside the UK - S2:(4)).

Nothing is said about Closed telecommunication systems, so presumably
they are fair game for any eavesdropper (including, but not restricted
to, Plod) who can arrange to listen in.

The categorisation of systems where interception is and is not lawful
certainly seems odd, and one wonders whether the blanket exemption of Closed
systems was intended or not. Certainly, if the requirement for a Private
system to be attached to a Public one were removed (bringing its definition
into line with common sense) there would be little effect on the rest of
the Bill beyond making it unlawful to intercept on what is presently a
Closed system (leaving the so-called transit systems unaffected). See amendment
C2(1)a.

Scenario 23 - when is a system Public?

Chase and Dodge have leased a private line from British Telecom. They use
it only for communications initiated by their employees (i.e. the public
do not get to access it). Therefore it is not a Private telecommunication
system, so one might suppose it is a Closed one. But, strangely, it might
also be considered a Public telecommunication system.

There has been an interception on this line, and the question before
the Court is whether this was lawful. The matter hinges on whether the
telecommunication system was a Closed or a Public one. Justin1 appears
for the side which contends that it is Closed, and his twin brother Justin2
appears for the side that contends it is Public.

Justin1

With respect, M'Lud, I contend this IS NOT a Public Telecommunication
system as defined by S2:(1) of the Act.

The line is clearly a "Telecommunication System" under that section,
because it facilitates the transmission of communications (those between
my clients Chase and Dodge in this present case).

The provision of access to, and facilities for making use of, that Telecommunication
System to the employees of Chase and Dodge constitutes a "Telecommunications
Service" as defined by that section.

Who provides this service? Why, Chase and Dodge, of course, because
they administer it, they determine who (their employees in this instance)
may use it, and the purposes for which it may be used, and they have made
arrangements to connect the line into their internal networks.

Because Chase and Dodge do not offer this service to the public, nor
even to a substantial section of the public, it is not a "Public Telecommunication
Service", as defined under that section.

Therefore, this particular Telecommunication System (even though it
forms a part of the wider Telecommunication System operated by British
Telecom, as envisioned by the definitions) is not a "Public Telecommunication
System", because the service it provides is not a Public Telecommunication
Service, as required by that section.

Neither is it, as it so happens, a "Private Telecommunication System",
as the Act is currently worded, because it is not connected to a Public
Telecommunication System (but if it had been, it would have been).

Justin2

With respect, M'Lud, I contend this IS a Public Telecommunication system
as defined by S2:(1) of the Act.

The line is clearly a "Telecommunication System" under that section,
because it facilitates the transmission of communications. It forms a part
of the wider Telecommunication System operated by BT, as envisioned by
the definitions.

Chase and Dodge are provided with access to, and facilities for making
use of, that Telecommunication System for the purpose of sending communications.
Whether the communications are restricted to their employees or not is
a matter for Chase and Dodge. My clients British Telecom have provided
this service to Chase and Dodge in return for appropriate consideration.

My clients can and do provide this service to any member or section
of the public who are able and willing to pay for it. Therefore, the service
provided is a "Public Telecommunication Service" as defined in that section.

Therefore, this particular Telecommunication System is a "Public Telecommunication
System", because the service it provides is a Public Telecommunication
Service, as required by that section.

So who is right? Answer: they both are; there is no flaw in either of
those arguments. The problem arises because there are two services being
provided:

British Telecom are providing a service to Chase and Dodge

Chase and Dodge are providing a service to those who actually use the
line (their employees)

and both these services are "telecommunications services" according
to S2:(1). It is not clear how this conundrum is to be resolved, except
to say that common sense dictates that this system should be classified
as Closed (or otherwise as Private if the distinction between them is removed).

Scenario 24 - Methods of interception

The Smith Report
(see also my commentary upon it) has proposed that
"black boxes" should be installed at (at least the major) ISPs to select
targeted traffic from all data flowing through that ISP, and to send it
via secure lines to GTAC. These boxes would presumably perform a filtering
operation to select those communications which had been the subject of
interception warrants (S5:(1)) or data communications notices (S21:(4)).
The question is "who is to be in control of these boxes"?

It has been suggested by some people that GTAC will be in control, downloading
the filtering parameters directly into the boxes in accordance with with
whatever warrants and notices are in force. This seems to be contrary to
the wording of the Bill, which seems to require that such warrants and
notices be served on the ISP (S11:(2), S21:(4)) (the ISP then typing the
necessary parameters into the box as indeed the Smith Report implies).
Nevertheless, there is considerable disquiet that there might be some intention
to proceed in this way (especially as interception of conventional telephone
calls currently uses such a procedure).

However, it should be noted that an ISP who permits parameters to be
entered into the black box from outside will thereby have

"so modified ... [his telecommunication] system, or its operation
... as to make some or all of the contents of the communication available,
while being transmitted, to a person other than the sender or intended
recipient of the communication." (S2:(2))

and thereby he will have intercepted each communication passing through
his system (S2:(2)), and thus he will have committed an offence under either
S1:(1) or S1:(2). But it would be reassuring to have a clear statement
from the Government on this matter.

Communications Data

The Bill provides for "communications data" (as defined in S20:(4))
to be disclosed by telecommunications operators (i.e. those who provide
telecommunications services - S24:(1)). There is an exemption (S21:(7)
- added at the Committee stage) that they may not ask for anything which
it is not reasonably practicable to provide, but the general requirement
still applies alike to both Public and Private operators. Clearly, any
logging data that the operator already keeps is fair game, but it is not
clear whether suddenly asking him to instal extra facilities (hardware
or software) to capture yet more data would ne "reasonably practicable"
or not. Perhaps the Code of Practice will clarify this.

There are, however, weaknesses in the definition of communications
data, with the government appearing to take a broader view than the wording
may justify. Moreover, it is not entirely clear that the originating computer
of a communication is not itself a part of the telecommunication system.
I base my understanding on the wording in S2:(1) "for the purpose of facilitating
the transmission of communications". I think that was intended to
exclude the end points (and S2:(2) gives some credence to this view). It
is vital that this be cleared up, because things get much worse if I am
wrong, as the following scenario will show. See amendment
C2(1)b for an attempt to clarify this situation.

Scenario 25 - What
can a notice demand?

Clearly, any communications data that Isaac is already storing as part
of his normal operations is accessible under notice, but note that The
Telecommunications (Data Protection and Privacy) Regulations 1998, which
implement Directive 97/66/EC of the European Union, place severe restraints
on what Isaac is allowed to keep. The following are various situations
which might or might not be covered under a requirement "to obtain the
data" (S21:(4)(a)).

A notice served on the GPO. "Record and disclose to me the addresses, postmarks,
return addresses (if present on the envelope), size and weight of all letters
and packets delivered to Bob. Seems legitimate, except perhaps for the
size and weight bit, but a lot of extra work for the sorting office.

A notice served on Isaac. "Record and disclose to me the time, the destination
and source addresses, and the size of all IP packets passing through your
router destined for the Block [123.234.121.*]". Seems legitimate, except
again for the size. It involves running a "sniffer" on the router, which
would seriously slow it down if a sizeable proportion of packets was to
be caught (note that routers do not normally retain such information,
except perhaps for statistical data and sampling for monitoring network
efficiency).

A notice served on Isaac. "Record and disclose to me the time, addresses,
etc. and the port numbers of all TCP handshakes negotiated between
Bob and Alice and passed through your router. TCP is a protocol one
layer above IP. But nearly every IP packet will have a TCP packet contained
within it. If Plod gets to know the port number negotiated, he will at
once know whether it is email, file transfer, web access, or whatever else
that is passing between Bob and Alice.

However, I would submit that this is not communications data.
Isaac is contracted with Bob and Alice to deliver unopened IP packets between
them. The TCP information was added by Bob, and need not be examined again
until it reaches Alice (or vice versa). Thus it should not be regarded
as attached to the communication "for the purposes of any telecommunication
system" (S20:(4)(a)) unless Bob's and Alice's computers are held to
be a part of the telecommunication system. However, it is sometimes
the case that parts of the telecommunication system will look inside
the TCP part, for example to prioritise different kinds of traffic, or
to divert certain kinds of traffic (for example, traffic for a web site
to a local proxy server). Thus this is a rather grey area in need of clarification.

A notice served on Isaac. "Record and disclose to me the time, destination
address, source address and length of every email that you deposit in Bob's
POP mailbox (or that you store in your mail queue for forwarding to Bob).
Also the Message-ID of each such email, and the sites that it passed through
on its way (Received: headers). Also the Subject:, Date:, In-Reply-To:,
Cc:, Bcc:, etc. headers". Note that this only applies where Bob has
contracted with Isaac to provide a mailbox or a mail queue to store Bob's
mail until it is convenient for him to dial in. So this one is OK (doubts
about 'length' excepted) The source and destination addresses are obviously
OK. They are normally contained in the "envelope" which accompanies the
email. The other items mentioned are part of the "headers" of the email,
so would involve looking inside it. However, the "Received" headers are
certainly communications data (they record the route taken by the message
so far) and the Message-ID might be if, for example, the operator of the
system is in the habit of using it for tracking messages through his system.
I would contend that the other headers mentioned are part of the content
of the message, and therefore should not be disclosed.

A notice served on British Telecom. "Record and disclose to me every request
for Directory Assistance made by Bob using your 192 service, including
which names he asked for and which telephone numbers he was given". No
way. That is definitely a "communication" between Bob and British Telecom.
An interception warrant would be needed.

A notice served on Isaac. "Record and disclose to me every DNS request
made by Bob to your nameserver ns0.isaac.net". "DNS" is "Domain
Name Service", used for translating "www.alice.co.uk" into an IP address
of the form [123.234.121.232]. It is essentially the same as the 192 example
above, and the same rule should apply, even though the request was made
entirely automatically by, for example, Bob's Web Browser.

A notice served on Isaac. "Record and disclose to me the URL of every page
that Bob requests to be downloaded from a Web Site". No, because this
involves looking inside Bob's IP packets to get at the TCP information
inside (and even at the HTTP information inside the TCP information). So
long as it is established that Bob's and Alice's computers are not part
of the telecommunication system they can only ask for the IP address
that Bob is sending the packets to (but they presumably know that
this is the address of a web site).

A notice served on Isaac. "Record and disclose to me the URL of every page
that Bob requests to be downloaded from a Web Site, using your proxy Web
Server". Here, Bob has contracted with Isaac to access the Web through
Isaac's Proxy (or more likely Isaac has talked him into doing it to reduce
his - Isaac's - telecommunications bill). In this case, the request might
be valid (it depends whether the service that Isaac is providing to Bob
through his proxy is a "telecommunication service"). An interesting case
is where Isaac redirects all port 80 traffic to his proxy whether Bob likes
it or not (and without telling Bob). Some ISPs do this, I believe.

My belief is that the correct answers to these questions are:

1:Yes. 2: Yes. 3: Just Maybe. 4: Yes. 5:No. 6: No. 7: No. 8: Maybe.

But some clarification of the wording would sure help (see amendment
C2(1)b for the question whether the end-points are part of the
telecommunication system, and amendment
C20(4)(a) et seq for other clarifications).

In particular, the government have been claiming that logs of accesses
to web sites are communications data. I would contend that the wording
of the Bill limits this just to who visited which site, and does not extend
to the identity of the pages downloaded.

Scenario 26 - What are S21:(3) authorizations
for?

A S21:(3) authorisation authorises a constable (Plod, say) to "engage in
conduct" for obtaining communications data (as opposed to a S21:(4) notice
which requires a telecommunications operator to obtain the data). It is
totally unclear what sort of "conduct" is envisaged. It would seem that,
provided it is intended to obtain "communications data", the "conduct"
can be as outrageous as you could imagine. Plod is exonerated from any
criminal act he commits (S20:(2)) and from any civil liability (S20:(3)).

Perhaps it is something like the following. Plod has visited Isaac on
some pretext.

Plod

Nice set-up you have here.

Isaac

Yes indeed. We have to have the most up to date equipment in order
to provide a full service to our customers.

FX

Just then, Plod forces open the drawer of Isaac's desk (with a jemmy
he happens to be carrying), extracts a paper containing "interesting" communications
data, takes out his camera and photographs it.

Isaac

What the Hell do you think you are doing?

Plod

Obtaining and photographing this communications data. I have been authorised,
by a person designated by the Secretary of state (S24:(2)), to engage in
such conduct in accordance with S21:(3).

Isaac

The Heck you have. You have just committed a criminal act. I shall
call the Police.

Plod

I am the Police. And, in any case, S20:(2) of the Act renders
my "criminal act", as you choose to call it, "lawful for all purposes".

Isaac

In any case, that is OUR information. You have breached OUR copyright.
Let me have the film out of that camera immediately, or I shall sue you
in Court.

Plod

No you won't, because S20:(3)(a) explicitly excludes me from any civil
liability.

Is this over the top? If so, then what sort of scenario is envisaged
by the Bill? More realistically, one could imagine that Plod might try
to hack into Isaac's computers searching for communications data, in apparent
contravention of the Computer Misuse Act.

But if such conduct is not intended (and I hope it isn't), then what
scenarios are envisaged by S21:(3), which seems to allow Plod to
obtain communications data without troubling Isaac? Where else is he supposed
to get it from?

And how can the Bill be compatible with the ECHR if it permits such
abuses?